SECURITY LOOPHOLE - .Nupkg exposing source code when renamed as ZIP


There is a security loop hole when i rename a .nupkg extension to a .zip extension. when the zip extension is extracted we can see the source code files.

Example :

  1. project.nupkg
  2. rename to
  3. extract
  4. Source code is exposed

This is a compliance issue when development partners hold full rights to the source code.

Did i just find a security flaw? or is there a workaround to prevent this from happening.



Instead of renaming it and zip the file and then extract from zip file and check once.


The point when changing the extension name from Nupkg to ZIP the source code gets exposed during extraction.

Simply zipping the nupkg and extracting it has no effect

1 Like

Hi @malikmueez

You might need to use a Obfuscator to encrypt the code inside the nupkg file. I personally don’t use one, but you will be able to find a good obfuscator online. I think there are some free software as well…

1 Like

This is not a flaw - a nupkg is simply a more specific type of zip file. Every nupkg is a zip but not every zip is a nupkg.

As @Lahiru.Fernando mentioned you’ll probably want to use an obfuscator if you’re concerned about someone opening the source code files. Here is a Stack Overflow question with some preferred obfuscators.


Even you can unzip a .nupkg file you will only able to see the DLL’s in the process but you cannot get the source code exact and in which language in which the code was written as .Net supports more than 60 languages. if i’m not wrong.

It’s fairly easy to extract code from a .dll if it is not obfuscated, though. For example, if I look at my custom activity dll files in JetBrains dotPeek then I am able to see the source code.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.